After spending some time on data protection, we are back to our beloved ISO 27001. This time, we’ll go past the tip of the iceberg to see what’s hidden, and we’ll spend some time (the whole chapter) better understanding ISO 27001 requirements
The main topics here will be related to iSMS: the meaning of PDCA, project objectives and estimates, team building, project development and selections of controls to be used, and many more.
We will cover the following topics in this chapter:
The iSMS constitutes a benchmark in the implementation of a corporate security controls framework and can become one of the fundamental pillars in guaranteeing a structured, continuous, and risk-oriented approach across the entire entity
Correctly weighing the perimeter of applicability, the necessary resources and skills, and strong support from senior management are the key elements for the success of the iSMS.
The most obvious benefits of an iSMS model are the following:
Annex A of ISO/IEC 27001 contains the objectives and controls, or the thematic areas considered and the controls to be applied (the 14 thematic areas are then broken down into lower-level controls, more details of which are provided in ISO/IEC27002). The areas, or domains, of the whole ISO/IEC 27001 are broken up into the following 14 controls:
Each of these sections then contains subareas that provide directives without, however, providing stringent specifications on the security measures that must be chosen and used in a specific case.
With regard to what has been said previously, the impact of iSMS crosses widespread across the entire organization, so top management support is a fundamental prerequisite to starting the project.
Having said that, it is possible to break down the project into different phases. Let’s analyze them in detail.
This is the first step of the project in which it is necessary to estimate the scope of the project and calculate the construction and maintenance costs.
The size and maturity of the company determine very different approaches: we could consider the basic perimeter at the beginning of the implementation, thus including only the network equipment related to the company (of course including devices in use by remote workers, if any ), systems at greatest risk, and consider gradually enlarging in subsequent project waves, including social accounts, cloud computing and remote repositories
Other variables to consider are support from other structures and offices of the company, aside from the security offices, touching many areas of the company, including the human resources office, legal, and purchases.
Having the right commitment from all the actors involved and from management will be essential to the success of the project.
ISO 27001 relies on continuous improvement and, even if not directly explained in the standard. It will therefore be possible to choose Plan-Do-Check-Act (PDCA, known also as Deming Cycle) as the best iterative methodology.
Figure 6.1 – Plan-Do-Check-Act
PDCA consists of a continuous implementation aimed at constant improvement for effective and adaptive management that follows the evolution of the information system. The four phases of PDCA are described as follows:
PCDA is adopting the aforementioned cycle because it reflects the evolutionary nature of threats. As threats and risks change they require continuous re-evaluation and adaptation, in order to reach the ultimate company goal: Ensure the adequate containment of the overall risk, below an established threshold. We cannot set an arbitrary risk threshold, as company risk appetites may differ.
This is the project phase in which the team responsible for managing the project estimates the necessary effort.
An iSMS requires strong knowledge and experience of the ISO 27001 and its implementation should be followed by professionals who have a background of working on projects of this type and at the same time will need senior managers with sufficient authority to orchestrate all the resources and structures involved.
First of all, it is necessary to identify controls, processes, and procedures that already regulate the scope within which ISO 27001 is to be implemented and all the assets and actors involved: customers, data, partners, offices, and so on.
Once these entities have been identified, it will be necessary to select the controls to be implemented and all the necessary metrics that will serve monitoring purposes.
As ISO 27001 is devoted to any kind of company, the selection of controls and how to interpret and implement them cannot be specific because they depend on the sector in which the company operates, its size, the technologies it uses, and the resources that the company has to implement and manage these controls.
In fact, it is necessary to pay close attention to how many controls to use to ensure you do not jeopardize the psychological acceptability of users and not overload the operational processes. Remember that implementing controls can affecting a company at all levels, at every department. Therefore, it is imperative to work on a few controls at a time.
Once the scope and controls have been established, the management of the iSMS will have to be included in the business processes, and then the PDCA quality management process should be tailored accordingly, formalizing it by following a fairly lean document system that includes at least one policy, a standard, and an operational guide.
At the heart of the iSMS is the risk analysis and assessment process, which allows you to assess the riskiness of threats and therefore establish possible countermeasures.
In this case, the suggestion is to adopt an approach already used in the company, if present, or to create a new one that is simple enough so as not to make the project excessively complicated.
Being able to identify relevant threats and weigh them accurately is a very difficult aspect and typically requires coordinated work between security specialists.
Without going into excessive detail, the risk analysis phases must be as follows:
Ultimately, therefore, it is decided how to intervene when risk is encountered and how to proceed. The options are as follows:
Periodically, it is important to schedule iSMS review and monitoring phases to evaluate its effectiveness and adherence to controls with respect to the context of current threats that could be significantly modified over time.
From this point of view, the quality of the audit and the metrics chosen become the key points for evaluating the project. In particular, the more the metrics are an objective and significant measure of the control in question, the more truthful and simple the analysis will be to carry out.
One of the most important clauses of ISO 27001 is Clause 7 because it sets the standards for implementation (related to training, the implementation team (if internal), and so on). Let’s see the requirements in detail.
In this part, we will focus in depth on Clause 7, which is fundamental because it deals with training and resources. It applies to people, infrastructure, and the environment just as much as it does to physical resources, materials, and equipment. This clause focuses on acquiring the necessary resources, personnel, and infrastructure to build, deploy, maintain, and continuously enhance the iSMS. It addresses the need for competence, awareness, and communication to support the iSMS, and might involve, for instance, providing training and access to staff. This article also stipulates that all individuals working for a company must be aware of its information security policy, how they contribute to its success, and the consequences of failing to comply. Additionally, the company must ensure that internal and external communications pertinent to information security and the iSMS are conveyed effectively. This entails determining what must be conveyed to whom, when, and how.
Tip
Please consider that, once implemented, ISO 27001 has to be maintained too. Therefore, your organization requires someone that is able to improve the value of the certification. Remember the PDCA or Deming cycle? Let’s imagine this with the example of a bicycle: once you jump on and start to cycle, it (you complete the first PDCA cycle) is quite difficult to keep the bicycle steady and at a good speed. After a few meters, you will be pedaling at a faster pace and the handlebars will be more stable, and, in a perfect world, you will be steady forever. Of course, in real life, it works differently: there are traffic lights, pedestrians, cars, and so on that inhibit our progress, but our ride continues.
Organizations must assess the degree of recorded information required for iSMS control. Controlling access to recorded information is also emphasized, reflecting the significance of information security. In your company, there is also a renewed emphasis on knowledge as a vital resource. When designing your quality targets, the present capacity and capability of your resources, as well as those you may need to acquire from external suppliers/partners, will be a crucial concern. This section of the standard specifies the prerequisites for establishing and operating an iSMS. Included in Section 7 are the following:
The company must select and provide the necessary resources for establishing, implementing, maintaining, and continuously improving the information security management system.
Clause 7.1 includes information about the selection and allocation of resources to establish and manage an iSMS, as well as the requirements for ongoing awareness for all personnel executing work within the scope of the iSMS and under the authority of the organization. A sufficient amount of resources must be allocated to the creation, implementation, maintenance, and ongoing enhancement of the iSMS. It is sufficient that roles, duties, and authority be clearly defined and owned – assuming that the appropriate amount of resources will be deployed – but it does not demand that the iSMS be staffed with full-time personnel. Clause 7.1, which serves as an overview of the resources promise, is followed by more detailed criteria in the following clauses
Having access to the necessary resources at the appropriate time is a crucial factor in the success of an iSMS deployment. Remember that each iSMS position holder needs to be competent in their function. Therefore, it is essential to recall the essential duties and resources you will need. This relates to the iSMS’s installation and operations. Core roles will presumably include the following:
During implementation planning, there are many questions that must be presented and answered, such as the following:
These issues are mostly concerned with verifying the availability of the requisite capabilities. Included are inquiries about recording the desired capabilities, determining the present competency set, and establishing potential methods to resolve any competency gaps. Typically, gaps are remedied as follows:
The decisions about these alternatives will rely on the magnitude of the skill gap and whether the competencies are necessary for the iSMS’s adoption or continuous operation.
The organization must identify the requisite competence of all individuals doing work under its control that impacts the performance of information security. It must also guarantee that these individuals are qualified based on their degree, training, or experience. Whenever relevant, it must carry out activities to acquire the required competence, assess the success of those efforts, and keep the requisite documentation as proof of competence. Examples of applicable activities include training, mentorship, or reassignment of present personnel, as well as the recruiting or contracting of competent individuals.
Clause 7.2 of ISO 27001 essentially states that the entity will guarantee it meets the following requirements:
Clause 7.2 stipulates that all iSMS personnel must be competent in their respective tasks. The supply of training, education, experience, and skills leads to competence. All of these must be addressed while managing human resources. To effectively deploy and sustain an iSMS, supporting resources must be in place.
The organization must do the following:
Tip
Be careful as requirements related to sensitive and private information could interfere with data protection.
Clause 7.2 outlines the requirements for individuals to be aware of their iSMS duties. The expertise and abilities of your workers, vendors, and contractors is crucial to the successful application of information security rules. To guarantee an adequate knowledge and skill basis, you must do the following:
Beyond knowledge of physical security, cybersecurity, computer security, and other kinds of information security, a multitude of talents and experiences is necessary for the effective deployment and continuous administration of an iSMS that is certified to ISO 27001. These include commercial, legal, HR, IT, and goods and services expertise relevant to the scope of business. Developing and maintaining an iSMS is often a team effort. Your auditor will expect you to have documentation outlining your required knowledge and abilities. Where you feel the standards have been met, you must provide documentation such as training certificates, course attendance records, or internal competency evaluations. The majority of firms that currently utilize tools such as training/skills matrices, evaluations, or supplier assessments may meet the need for competence records by increasing the categories covered to include information security.
Tip
Of course, this has to be read differently in case you are using a third-party company to implement ISO 27001, but still, your entity should be able to maintain this certification.
The iSMS mandates that all individuals be competent with regard to their iSMS-related roles. Any identified competence deficiencies must be remedied. However, there is limited iSMS-specific training for certain user groups. The following table lists some of these categories and the sort of training that may be necessary:
The following should be considered in the training plan:
When establishing a training plan, the following factors must be considered:
This sort of data may be collected through a gap analysis. Once this sort of data has been collected, a training program may be designed.
The training program should include the following:
People performing work under the control of the organization must be aware of its information security policy, their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance, and the consequences of failing to comply with the information security management system requirements.
Clause 7.3 is a combination of Competency (Clause 7.2) and Communication (Clause 7.4).
The following information must be known by anybody working for the organization:
Typically, this will lead to the setup of training and awareness programs aimed at various groups. Awareness of non-compliance with iSMS rules must also be addressed. In addition to assuring the specialized information security competency of key persons, the broader group of workers, suppliers, and contractors must be aware of the fundamental parts of your iSMS. As part of the iSMS implementation, the organization’s employees must collaborate on the design of an information security policy for approval by senior management. Their job should be well understood since it would have been agreed upon and recorded as part of Clause 7.1. This is essential for developing a supportive culture inside the business. All employees, vendors, and independent contractors should be aware of the following:
The company must identify the necessity for internal and external information security management system-related communications. While determining the communication system, it must establish what is to be communicated, when it is to be communicated, with whom it is to be communicated, who will communicate, and how communication will be carried out.
Communications are crucial to the iSMS implementation process. By making the program and its benefits evident inside and beyond the company, they assist, gain, and sustain support for the program. Benefits of excellent communications programs include ensuring that information security is not regarded as a side problem and is rather front and center. Good communication tactics extend beyond the deployment phase and into the ongoing operations of the iSMS. Important security dashboards, briefings, and warnings are all components of a robust communications system.
Internal and external communication considered important to the iSMS must be decided, as well as the methods by which they must be carried out, taking into account what must be communicated, by whom, at what time, and to whom. To allow the operations of your iSMS to operate well, you must ensure that your communication activities are well planned and controlled. ISO 27001 specifies them in detail by mandating that you determine the following:
If your communication needs are clearly stated in your organization’s policies, rules, and procedures, you do not need to take any further steps to meet this criterion. If they are not, you should consider documenting your important communication actions in the form of a table or method using the preceding headings. Remember that these papers’ contents must also be transmitted. Similar to the realm of training, good communication involves the identification of target audiences, the methods that may be employed (existing or new), the content, and the frequency of messages. The preceding bullet points uncover these components and enable the construction of an all-encompassing communications strategy. The incorporation of resources from corporate communications departments adds substantial value to this arena. Communication techniques have a crucial role:
Plans for communications must include the following:
Clause 7.4 mandates a definitive response to a number of security-related questions:
It is crucial to acknowledge that the communication plan comprises both internal and external components. They will require different considerations to the questions that follow.
The internal communication plan is used by upper management to communicate its aims and commitment to information security. The information security policy, the team within the organization with the essential roles and duties related to security, the awareness strategy, and the general and specialized requirements for responding to incidents are some examples of communication. The internal communication plan should not, however, be unidirectional. Mediums such as telephone and email, for instance, should also be recognized and used to communicate security breaches or emerging vulnerabilities in a bottom-up manner, that is, from on-the-ground users.
The majority of the preceding examples pertain to the internal communication plan, although they also apply to the external communication plan. You may need to communicate with regulatory authorities, public authorities, shareholders, customers, and partners to announce good (success) or bad (failure) occurrences (incidents, accidents, and crises). You will also need a communication plan that answers the answers listed previously in this section. You must be careful with this since you should not reveal or broadcast sensitive information that could worsen your condition.
Depending on the organization’s size and security goals, the formality of the communication plan will vary, being either completely documented as a distinct document or simply expressed in a few phrases within other rules, processes, and plans. So, as long as the required information is communicated to the correct people your solution will be appropriate for your goals and available resources.
Clause 7.5 discusses the obligations for preserving the relevant papers and records that support the iSMS’s activities. Formal documentation of when things have been approved demonstrates compliance with this provision. For the documented information used to develop and manage your iSMS to be useful, it must meet the following requirements:
Access to documented information is controlled so that it cannot be accidentally changed, corrupted, deleted, or accessed by individuals to whom it is not appropriate. Information is deleted in a safe way or returned to its owner when this is a requirement, and you can track changes to information to ensure that the process is in control.
Documentation is necessary to guarantee that procedures are executed in accordance with the management system’s goals. Documentation defines what you will accomplish and gives proof that you have carried out your intentions. The ISO 27001 standard does not define the scope of documentation, which is influenced by a variety of variables. These consist of the following:
Always develop documents with the intended audience in mind. The documentation must be beneficial to the people who will use it. Organizations are required to define and record their procedures as needed. Afterward, they must adhere to their own documents. Say what you do and do what you say.
The following criteria apply to procedures that are not explicitly documented:
Documentation, however, does need management. This management comprises document approvals, standards for accessibility and readability, and other specifications mentioned in Clause 7.5 of the standard.
Internal or external sources may be the origin of your documented information; thus, your control procedures must handle documented information from both sources. Companies with effective document control often have one or more of the following in place:
As we have provided a summary of the clause, now we will detail every subclause.
The term documented information, which will be used several times throughout this chapter, now encompasses both the documents and records definitions from the previous version of the ISO 27001 standard.
This modification was intended to assist with the administration of papers and records mandated by the standard, as well as those deemed vital to the iSMS’s functioning by the organization. It should also be emphasized that the quantity and scope of recorded information required by an organization will vary based on its size, activities, goods, and services, the complexity of its processes and their interrelationships, and the expertise of its employees.
The standard stipulates that information generated or updated within the scope of the iSMS must be appropriately recognized and characterized, taking into consideration how the content is presented and the medium through which this is done. All recorded information must be subjected to appropriate review and approval processes to verify its suitability.
The standard says that recorded information required by the iSMS, as well as the standard itself, must be accessible, usable, and sufficiently safeguarded against destruction or loss of integrity and identity, regardless of its internal or external origin. For the correct management of recorded information, the organization must provide distribution, retention, access, use, retrieval, preservation, and storage methods, as well as control and disposal procedures.
Documented information required by the information security management system and by ISO 27001 documentation must be appropriately checked to ensure (note: the originating clauses are in brackets):
Tip
The terms in bold are the respective clauses of Annex A of ISO 27001. Concerning non-conformance, ISO defines them as “the failure to meet one or more requirements that are outlined throughout the mandatory clauses.”
The distinction between a document and a record is that records are time-stamped proof of activity. Periodically, documents are examined and updated. Typically, they are versioned. In addition to the records mentioned previously, other relevant documents may include the following:
Tip
I think you imagine a truckload of documentation to be prepared and ready, but a high percentage of the companies I personally assessed needed “only” the paperwork required to fulfill the criteria of clauses 4 to 10 consisting of around 25 to 35 pages in total (excluding title pages and version control, I mean the version number). Among them are the outcomes of the management review, the internal audit report, the risk assessment, and the performance evaluations. This amount of pages for clauses 4 through 10 is generally intended to be independent of the organization’s size; nonetheless, bigger organizations have additional paperwork related to, for example, performance management and internal auditing.
The second major sort of documentation is information security policies, which are more diverse. 20 to 40 pages of documentation have been required for the ISO 27001 implementations I’ve performed for smaller organizations (with maybe a few thousand users). Larger organizations need more policy-related paperwork, although it typically did not exceed 60 pages.
The third form of documentation is the documentation/records generated as a consequence of running the controls/procedures, such as visitor records, change control records, and penetration test reports, where the type of documentation generated is highly reliant on what is implemented.
If you have more than this, you may have made things more complicated than necessary. Or maybe you do need it all to effectively handle information security concerns. But I doubt it.
So, once everything is in place (policies, controls, procedures, and so on), you can have your audit and, if it’s successful, you can obtain your ISO 27001 certification. But can you later lose it?
Yes. Auditors will periodically return on-site (or remotely) and request evidence that you are continuing to comply with all regulations. If you cannot provide evidence that you are, they will revoke your ISO 27001 certification. So, we must ensure that we continue to comply with all ISO 27001 requirements.
Be aware that if the organization has a policy or procedure that specifies how things should be done, it is crucial that the policy or process is accurate. For instance, if a policy or procedure states All visitors must be accompanied by a relevant member of staff, it is imperative that all visitors without exception. If a policy or procedure is not consistently adhered to in practice, either the policy or procedure must be revised, or individuals must ensure that they adhere to it.
It is vital to record instances of disparity between an organization’s policies/processes and what is really in place in order to determine whether the policy/process should be amended. Remember that a policy or practice does not need to be recorded in order to be legitimate and adhered to.
Be cautious when adopting improvements, shortcuts, or changes that do not align with the organization’s rules or processes. You should get formal approval for this action and, if required, modify the policies/processes properly.
You should also report anything that seems to have the potential to expose sensitive information to unauthorized parties, for instance, if you notice that a door lock is broken or that critical papers have been left on a desk overnight.
Remember the fundamentals of security , such as the following:
In previous paragraphs, I translated the main requirements of Clause 7 to demonstrate how to use them more easily. Of course, as we have said many times, ISO 27001 is continuously evolving and improving. You can improve on the basic requirements proposed within the clause. For instance, you can require internal training every 3 months for all your employees and install document shredding machines to destroy documents. It’s entirely up to you; there is always room for improvement. Just remember: don’t excessively implement bureaucratic or unsustainable procedures; they can be a waste of time for your employees and your company.
Well, that’s another chapter filled with a lot of information that we’ve completed. You’ve learned what the requirements, steps, and documentation to provide to fulfill ISO 27001 accomplishment are. At the same time, you should be aware that you can lose the status of ISO 27001 certified company just by non-completing the relevant information.
In the next chapter, we’ll deep dive into risk management, policies, and controls.